this might be premature, but a system I was working that had msblaster on it
wouldn't allow access to task mgr, msconfig or regedit even after msblaster
was removed... then while it was off-line it started trying to reach 4
domains... a window would pop up and time out then another attempt would be made to
the next address... it would cycle around repeatedly and clicking cancel would
just cause it to go to the next one.. after backtracking the names I called
the only one that might still be open at 4 pm PST... about 8 pm a sys admin
called back to say this account had been opened within the last two weeks and
he was very concerned about their activites... he closed the account and
looked at what they'd been doing and found "a large number of IP's" which made him
suspicious... we agreed to cooperate with the authorities and I'm sending an
email to the supervisory agent of the FBI's Computer Analysis Response Team
who I met at the Univ of Idaho forensics workshop last Sept... don't know if
there's a connection between this activity and msblaster or if it'll lead to who
wrote it but if it does it'll be worth all the effort to get them...
another thing I've experienced is pop-ups saying there's a trojan in the system
volume information folder on my computer... after much checking and scanning
nothing showed and I'm beginning to wonder if this is a new game being played to
create noise and havoc... on the other hand this pop-up seemed to have some
specific details about this folder... am wondering if there might be something
hiding in an alternate data stream and invisible to scanning or just some
smart alec with a wierd sense of humor...
Paul Braga